Differences between version 8 and predecessor to the previous major change of FilePermissions.
Other diffs: Previous Revision, Previous Author, or view the Annotated Edit History
Newer page: | version 8 | Last edited on Wednesday, April 4, 2007 9:32:00 am | by AristotlePagaltzis | Revert |
Older page: | version 7 | Last edited on Monday, April 2, 2007 12:14:17 pm | by CraigBox | Revert |
@@ -1,45 +1,53 @@
-Here's a directory listing (
<tt>ls -l</tt>)
:
+Here's a directory listing as produced by
<tt>ls -l</tt>:
<verbatim>
-rw-r--r-- 1 mythtv users 1706 2005-10-13 14:01 release.keys
</verbatim>
-<?plugin OldStyleTable caption="Columns"
border||=
-| -rw-r--r-- | File permissions
-| 1 | number of links
-| mythtv | file owner
-| users | file group
-| 1706 | file size
-| 2005-10-13 14:01 | creation time
-| release.keys | filename
+Here, the various columns mean the following:
+
+
<?plugin OldStyleTable border||=
+| <tt>
-rw-r--r--</tt>
| File permissions
+| <tt>
1</tt>
| number of links
+| <tt>
mythtv</tt>
| file owner
+| <tt>
users</tt>
| file-owning
group
+| <tt>
1706</tt>
| file size
+| <tt>
2005-10-13 14:01</tt>
| creation time
+| <tt>
release.keys</tt>
| filename
?>
-This page concentrates on the file permissions.
+This page concentrates on the first bit:
the file permissions.
+
+[UNIX] file permissions are made up of three groups: the __u__ser who owns the file, the __g__roup that the file belongs to, and __o__ther people. These letters are important as you can use them to instruct [chmod(1)] change the permission of the file.
+
+For each part, you have __r__ead, __w__rite, and e__x__ecute access. These are displayed as <tt>rwx</tt>.
+
+Typically, system data files as well files served from a WebServer or such have <tt>-rw-r--r--</tt>, ie. they're readable for everyone but writable only for their owner; files with private data have <tt>-rw-------</tt>: readable and writeable only for their owner and noone else. Directories and executable files generally have <tt>-rwxr-xr-x</tt>: they're readable and executable for everyone but writable only for their owner. The executable permission on directories means that it may be used as part of a path; f.ex., if user <tt>bob</tt> does not have execute permission for <tt>/var/queue/joe</tt>, he will not be able to read <tt>/var/queue/joe/msg.371</tt>, even if he has read permission on the file itself
.
-UNIX file permissions
are made up of three groups:
the __u__ser who owns the file, the __g__roup that the file belongs to, and __o__ther people. These letters are important as you can use them to instruct
chmod(1) change the permission
of the file
.
+Permissions
are altered on
the [Shell] using [
chmod(1)]. (''Missing here is an explanation
of the 4=r, 2=w, 1=x mapping
. Feel free to AddToMe.'')
-For each part
, you have __r__ead
, __w__rite
, and e__x__ecute access. These are displayed as 'rwx
'.
+Generally
, the fewer permissions
you grant
, the better. Most importantly
, there
's almost never a good reason to make files writable for everyone
.
-There are also sticky bit (shown with a t when listing directories)
and setuid bit shown with a s.
+!!! Sticky
and setuid
-The sticky bit allows the use
of share directories basically where only the owner of the directory or the owner of the file can delete the file within a directory
(as opposed to the normal situation where
if you can write files
in a directory
you can delete any file in that directory
)
+There are actually two more permissions that are almost never useful outside
of system files
(so
if you're not
in this to learn how [UNIX] works,
you can skip this part
).
-The setuid
bit allows
you to run the program as
the file owner or group owner rather than
the executor
. For example the
file can
run as root instead
of a normal user and therefore
do priviledged things. However this is something you have to be very careful with as
it can leave
gaping security holes.
+The __s__etuid
bit is shown with an <tt>s</tt> in directory listings. It specifies that when
you execute
the file, you assume the identity of the
owner of
the file
. For example, if a
file is owned by <tt>root</tt> and has the setuid permission set, it will
run as <tt>
root</tt> when you execute it, regardless
of what your identity is. This is
a way to allow regular users to
do priviledged things; however
it can easily lead to
gaping security holes.
-The most common commandline program to alter permissions
is [chmod
(1)]
.
+The s__t__icky bit
is shown with a <tt>t</tt> in directory listings is used for some widely shared system directories. It specifies that only the owner of a file can delete it. Normally, anyone who can create a file in a directory can delete ''any'' file in that directory.
(To be precise, the owner of a directory with the sticky bit set can also delete any of the files in it
.)
-There's an
[excellent guide to permissions at Greg's wiki|http://wooledge.org/mywiki/Permissions
], which you should go and read right now. [Linux Focus|http://www.linuxfocus.org/English/January1999/article77.html] also has a good article to read.
+!!! Recursive
[chmod(1)
]
-And remember
the less permissions
you give
the better
.
+[chmod(1)] has a potentially very convenient switch: <tt>-R</tt>, which, as you'll suspect if you've used other [UNIX] tools, means "recurse into directories and apply
the change to the entire directory tree." However, because directories need to be executable before
you can refer to any of
the files inside them, it would sometimes seem that this convenient switch cannot be used. F.ex., saying <tt>chmod -R a-x ./foo/</tt> isn't very useful because that will make everything inside <tt>foo</tt> non-executable, including directories, which means you can't access any of it
.
-!!Recursively Change Permissions of Just Files Or Just Folders
+However, modern [chmod(1)]s understand a special pseudo-permission, called <tt>X</tt> (eg. uppercase X as opposed to <tt>x</tt>). It means "executable, but only when operating on a directory; no change otherwise". That way, you can say <tt>chmod -R a-x,a+X ./foo/</tt>, which will make [chmod(1)] remove the executable bit from every file but then also ''set'' the executable bit if it's a directory.
-*
find <path> -type d -exec chmod 755 {} \;
+Before this, it was sometimes necessary to go through inconvenient contortions involing [
find(1)] in order to operate only on files or only on directories. While that's still occasionally necessary, those occasions are much rarer.
-This will recursively search your directory tree and chmod all directories only.
+!!! See also
-Chmod all files only (and ignore the directories)
:
+* [An excellent guide to permissions at Greg's wiki | http
://wooledge.org/mywiki/Permissions]
+* [A Linux Focus article about file permissions | http://www.linuxfocus.org/English/January1999/article77.html]
-*find <path> -type f -exec chmod 611 {} \;
----
CategoryBeginners